On 07/02/2012 06:47 PM, Tom Gundersen wrote:
Leaving the old file in place should work. Also replacing it with the new
one should work. I guess you did something in between?
On Jul 2, 2012 5:27 PM, "Arno Gaboury" <arnaud.gaboury@xxxxxxxxx> wrote:
Dear list,
I messed up my box yesterday when upgrading shadow, and trying to
understand and merge /etc/pam.d/login with login.pacnew.
I thought it was worth adding the four lines of login.pacnew to my actual
login file. But in this case, I found myself with a box login one user, me,
on two Tty, asking for the password twice at the console login prompt, then
when X started, all GUI apps were very long to diplay contents, and when I
loged off/loged in, I could see I had two last login on Tty messages . So
I reverted to my original /etc/pam.d/login. Now everything is OK, but I am
wondering if this denial of taling into account the login.pacnew would
leave my system unstable.
TY for help and hints, as PAM and shadow are both quite obscure to me when
it comes to configure.
Below is my actual /ect/pam.d/login . Not sure it is well configured !
#%PAM-1.0
#root is NOT allowed to login
auth required pam_securetty.so
#check user is allowed to login
auth requisite pam_nologin.so
#auth include system-local-login
#default aut settings
#auth include system-auth
auth required pam_unix.so shadow nullok
auth required pam_tally.so onerr=succeed
file=/var/log/faillog
# use this to lockout accounts for 10 minutes after 3 failed attempts
#auth required pam_tally.so deny=2 unlock_time=600
onerr=succeed file=/var/log/faillog
#account include system-local-login
# include the default account settings
#account include system-account
#check access for user
account required pam_access.so
account required pam_time.so
account required pam_unix.so
#password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
#password required pam_unix.so sha512 shadow use_authtok
#session include system-local-login
session required pam_unix.so
#set default environment for user
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/spool/mail standard
session optional pam_lastlog.so
session optional pam_loginuid.so
-session optional pam_ck_connector.so nox11
-session optional pam_systemd.so
I first tried to replace my login file by the *login.pacnew*. But result
was a mess. I then try to add the four lines to my file. Was a mess too,
as according to me it created a kind of double login (2 Tty), I don't
know why.
Now back to the original one.
The five lines from *login.pacnew* are these following ones:
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login
The first two ones were already on my system, and I kept away the ones
with *system-local-login*. BTW, I couldn't find any reference about
these 3 lines, even on *red-hat* and *LFS* , which present good
documentation about configuring *shadow *and *pam.d* folder.
